How your passwords are stored (and why it matters)

Once a website starts handling user data, registration and logins, it needs to solve the problem of storing private data. A sizable user base makes the website a target by cybercriminals, and, somehow, user data needs to be secret but also usable. Passwords are at the center of this, because it's what attackers are usually after. It becomes clear, then, that passwords cannot be just stored as they are (in "plain" text) at all.

Hashing algorithms

This problem is solved by hashing algorithms. A hashing algorithm is a cryptographic process that generates a deterministic fixed-length output for every possible input, often a string (array of characters). For an algorithm to qualify as a hashing algorithm, its outputs need to be irreversible, meaning that the original input cannot be reversed engineered by having just the output, which means that even tiny changes in the input must generate wildly different results.

Many such algorithms exist, popular ones being MD5, SHA1, SHA256 among others. Services, instead of storing your password directly, they generate its hash and store that instead, discarding the original password. Since the hash is deterministic, once you retype your password to log in, it runs through the same algorithm and the exact same result comes out, verifying it's you. The service can know you know the password without them actually knowing your password. As such, even if attackers manage to breach the website, they will not actually get their hands on the users' passwords.

This system is not without faults. The fixed nature of the "hash" (the output) means that there exist a finite number of outputs for an infinite number of inputs. This can create confusion through collisions (when different known inputs produce the same output), particularly common in older algorithms like MD5. Moreover, attackers have lists of precomputed outputs for popular known passwords and often just need to compare to find your password. This can be combated by the developers by mixing in more information with your password before hashing it, which is called salting. Even still, the attacker can run many different possible combinations and passwords through the same algorithm until they find a match.

You cannot know how websites handle your data

Still, it remains the best known defence against password breaches. The main issue, however, arises from the fact that not all services actually use these algorithms. Many decide to go against industry standards and store their users' passwords in plain text. What's worse is, the users cannot know this, often until it's too late and the passwords have been breached.

Solutions

There are two common ways to solve this, both with their upsides and drawbacks:

The first and often easier way is to avoid giving random sites your credentials, and instead choose to log in through popular big tech services like Google or Facebook. This is effortless and avoids unnecessarily sharing your password, but the service you use is the single point of failure. If it gets attacked and breached, it affects you greatly because you have put all your eggs in one basket.

The second, arguably smarter but more tedious method, is the usage of a different unique password for each service. This way, even if a website is breached, you have contained the breach to just this site. This however, requires the creation and storage of multiple different passwords on your part. This is where services like the password generator hosted on this website, and password managers become useful. They do a lot of the work for you, avoiding patterns and biases in generation, and storing your passwords in safer ways.

For better or for worse, passwords have become too important in our life for us to be casual about them. Most people cannot afford to have their email service or personal social media lost or hacked. This is why it is important for you to eliminate the need for trust, and ensure security.

So what should you do?

You should stop trying to think of new predictable passwords, and you should stop adding trailing numbers and symbols on your already weak passwords. You need to generate secure passwords, whether with this website or another, and stop reusing the same passwords again and again. You need to start using a password manager. We'll soon publish articles on both these issues for more information!